1. APPLIED VOIP SECURITY &
RELIABILITY ON COMMODITY
SERVICES, HARDWARE &
SOFTWARE
…a primer on what works in the real
world
2. Informal Poll
Legacy PBX replacement / upgrade path?
VoIP in your enterprise?
Asterisk in your enterprise?
Just starting out with VoIP?
3. Presentation Overview
Review common Solutions overview:
business Availability,
communications reliability, security
struggles
Software
Asterisk lessons
learned Hardware
ITSPs we rely on
“Mid-dive”
Measurement
methods
4. Speaker Introduction
tapestry tech Dennis Little (KeyCruncher)
&
Dennis Little Passion: “Technology Translator” &
Communications
Head Business Communications
division
IRC: Asterisk believer since 2005
keycruncher
KeyCruncher.com
tapestry technologies, LLC (tt)
dennis@tapestrytech.c
MyBusinessTelephone.com
om
SME: Defense IT Policy, Training
Shout-out: Anteil, Inc.
5. Why believe in Asterisk?
tapestry tech Engineering support for a
&
Dennis Little large, proprietary (Avaya)
installation
$400M organization, $40k benevolent
care / day
IRC: Supporting 2,200+ staff and 3,000+
keycruncher
seniors in PA, MD & DE
KeyCruncher.com
Serving 70,000+ families & children
dennis@tapestrytech.c
om per year
A lot of FOSS software
underneath…
6. Full Disclosure
tapestry tech tapestry Affiliations
&
Dennis Little Digium® Affiliate Asterisk® Integrator
Polycom® Authorized Partner (VoIP)
Xorcom® Certified Dealer
(but we used them before we dealt
IRC:
keycruncher
them)
KeyCruncher.com
dennis@tapestrytech.c
My experience + struggles +
om
solutions
!= the best way
7. Why Voice over IP? Why
Asterisk?
Quality
Flexibility & Scalability
Connectivity,providers, contact center location
Contract commitments (or lack thereof)
Easy path forward for legacy systems
Standards-based vs. proprietary
Return on Investment & cost savings
8. Case Study Overview
Lodging business
Startup in 2009 with 4
staff in 2 states
? carriers, ? volume
Robust, secure,
flexible
Future = ??
Today: ~27 staff in 7
locations
Remote colo w/
failover
10. Solution(s) Philosophy
FOSS where is makes business sense
FOSS where it is ready for prime time
Encryption.
Least-privilege.
Always have a failover and backup(s)
11. Requirements: Providers
Quality colo facilities
History of reliability & availability
ITSPs (always have a failover plan)
Vitelity – flexibility, very good support, reliable
Bandwidth.com – reputable, unlimited usage
12. Requirements: Security
Only allow necessary traffic
VoIP provider should be able to tell you all of their
subnets
You should know all of yours
VPN tunnel everything – it was worth the
overhead here
Follow VoIP security best practices & stay
involved
Community events & networking w/ like-minded folks
Excellent documentation
IRC / Mailing lists / RSS feeds
VUC.me (VoIP Users Conference call: Friday, noon
15. OpenVPN
Easy access control for networks & road
warriors
Two-factor authentication (certificate +
password)
Routed & bridged modes
Built-in support for OpenVPN in Vyatta
Windows: OpenVPN GUI (non-admin in Win7?
Use subinacl utility)
Mac OS X: Viscosity
OpenVPN Access Server
16. Vyatta Network OS (~SBC)
Powerful, familiar CLI (ie: Linux, tab
completion, contextual hints & help)
unionfs + RAMdisk to reduce writes on USB
storage
QoS control – set aside for VoIP / data
WAN failover – combine cheap circuits
High Availability (free) & HA sync ($)
Virtualized editions available
$0 or low cost (web filtering requires
subscription)
21. Requirements: Commodity
Internet
Consistently:
Low latency to the ITSP
0% packet loss
Adequate bandwidth for X calls
In general: DSL or fiber for voice, (shared)
cable for all other
23. Requirements: Circuit Capacity
How do we carve up the circuit?
REMEMBER: We are dealing with commodity
internet (no SLA) ie: best-effort circuit delivery
Average of 5 tests over time
80-85% of performance from averages is what we
assume
Determine set-asides accordingly (calculators)
24. Case Outcomes
Standardized Failover between
carriers servers, sites and at
Volume and trends the ITSP level works
insight – business really well
intel. Ability to go mobile
Leverage with when needed
carriers to reduce because of disasters
rates
Cut call center hours
by 3 hours each day
25. A few things to remember…
Security (least-privilege, fail2ban, VoIP best
practices, etc.)
Test, test, test
Failover != backup
RAID != backup
mirror != backup
Educate and listen
Lean on the work already done
AsteriskDocs.org, Asterisk.org, voip-
info.org, …
27. Short Review
Solution: More questions?
Providers, HW, SW, Dennis Little
security tapestry technologies
IRC: KeyCruncher
Thank you, Digium
web:
& tapestry KeyCruncher.com
technologies dennis@tapestrytech.c
om
Thank YOU for (877) 372-6782
coming
MyBusinessTelephone.
com
28. Resources
FoxconnChannel.co Vitelity.com
m Bandwidth.com
Polycom.com
SuperMicro.com
Dennis Little
Digium.com tapestry technologies
PBXinaFlash.net
IRC: KeyCruncher
OpenVPN.net / .se web: KeyCruncher.com
Vyatta.org dennis@tapestrytech.co
m
Linux-KVM.org (877) 372-6782
DRBD.org
Notes de l'éditeur
My goal: present lessons learned and solution highlights, give you enough to get started and ask me or the community questions, support worthy projects and providers
My goal: present lessons learned and solution highlights, give you enough to get started and ask me or the community questions, support worthy projects and providers
Love technology and people: teaching efficiency & communicationsExperience: SMB & Fortune 500 – generally on the SMB side, Rite Aid acquisition of Eckerd Drug (~1850 stores)Fascination telephones: age 5, kitchen phone pinched wire
Started out on Nortel, hands-on supportAvaya: RHEL, MySQL, SIP + proprietaryVery expensive, land-locked solutions: ~$32k for a 40-person officeStarting looking for a small office solution: discovered trixbox & AastraAsterisk can do almost always do everything the big boys can do
Everything that I will talk about in this case study is represented by one of these three companies
Lodging solutionsRapid growth predictedGeographically dispersed and needed to be able to connect easilyReservations, file sharing already in place in central coloNeeded something flexible & affordable to grow and scale with the business: Asterisk was the answer
Lodging solutionsRapid growth predictedGeographically dispersed and needed to be able to connect easilyReservations, file sharing already in place in central coloNeeded something flexible & affordable to grow and scale with the business: Asterisk was the answer
Failover strategy depends heavily on the client’s tolerance for downtime and the tolerance, in turn, of their clients for the same
Foxconn - around $160/each
Not going to cover PIAF and iptables/Fail2banOpenVPN – easy to phone home = easy provisioning
Viscosity does seem to have a quirk with network routing delay – anyone found anything better?